Posted: Mon May 27, 2002 2:27 am Post subject: What is Social Engineering?

Social Engineering is 80% of hacking the majority of situations.

To quote from ESR's Jargon Lexicon:

The Jargon Dictionary wrote:

social engineering n.

Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. See also the tiger team story in the patch entry.

This sums it up pretty well really, the most common form of social engineering is to phone up late at night when only the security guard is there or another time when there are not-so-technical people around and bombarding them with meaningless technical jargon, then asking for a passcode or login/password for a certain system.

There is a more in-depth guide on social engineering by Rick Nelson here:

A substantial body of literature in social psychology demonstrates that there are at least six factors relying on peripheral routes to persuasion that are highly likely to persuade or influence others:

· Authority. People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present. A study of three Midwestern hospitals showed how responsive people can be to such assertions. In the study, 22 separate nurses' stations were contacted by a researcher who identified himself (falsely) as a hospital physician, and told the answering nurse to give 20 milligrams of a specified prescription drug to a particular patient on the ward. Four factors should have indicated that the nurses might have questioned the order: (1) It came from a "doctor" with whom the nurse had never before met or spoken; (2) the "doctor" was transmitting a prescription by telephone, in violation of hospital policy; (3) the drug in question was not authorized for use on the wards; and (4) the dosage that the "doctor" had specified was clearly dangerous, twice the maximum daily dosage. Yet in 95 percent of the cases, the nurse proceeded to obtain the necessary dosage from the ward medicine cabinet and was on her way to administer it to the patient before observers intercepted her and told her of the experiment.

· Scarcity. People are also highly responsive to indications that a particular item they may want is in short supply or available for only a limited period. Indeed, research by Dr. Jack Brehm of Stanford University indicates that people come to desire that item even more when they perceive that their freedom to obtain it is or may be limited in some way. The belief that others may be competing for the short supply of the desired item may enhance the person's desire even more.

· Liking and similarity. It is a truly human tendency to like people who are like us. Our identification of a person as having characteristics identical or similar to our own -- places of birth, or tastes in sports, music, art, or other personal interests, to name a few -- provides a strong incentive for us to adopt a mental shortcut, in dealing with that person, to regard him or her more favorably merely because of that similarity.

· Reciprocation. A well-recognized rule of social interaction requires that if someone gives us (or promises to give us) something, we feel a strong inclination to reciprocate by providing something in return. Even if the favor that someone offers was not requested by the other person, the person offered the favor may feel a strong obligation to respect the rule of reciprocation by agreeing to the favor that the original criminal asks in return -- even if that favor is significantly costlier than the original favor.

· Commitment and consistency. Society also places great store by consistency in a person's behavior. If we promise to do something, and fail to carry out that promise, we are virtually certain to be considered untrustworthy or undesirable. We therefore are more likely to take considerable pains to act in ways that are consistent with actions that we have taken before, even if, in the fullness of time, we later look back and recognize that some consistencies are indeed foolish.
One way in which social custom and practice makes us susceptible to appeals to consistency is the use of writing. A leading social psychologist, Professor Robert B. Cialdini, has observed that unless there is strong evidence to the contrary, "People have a natural tendency to think that a statement reflects the true attitude of the person who made it." Moreover, once the person who receives such a statement responds by preparing a written statement of his own -- whether a letter, an affidavit, or an e-mail -- it tends to make the writer believe in what he has written as well, adding to the impression that both parties have displayed their true attitudes and beliefs.

· Social proof. In many social situations, one of the mental shortcuts on which we rely, in determining what course of action is most appropriate, is to look to see what other people in the vicinity are doing or saying. This phenomenon, known as social proof, can prompt us to take actions that may be against our self-interest without taking the time to consider them more deeply. Cults from the Jonestown Temple to Heaven's Gate, for example, provide cogent evidence of how strong the effects of that phenomenon can be in the right circumstances.

He walked into an office in York, used an internal phone and rang one of the managers, told them he was security, they had a hacker in the system and he needed his usernames and passwords. Then walked out!

My experience is that Social Engineering is only 50% because if your damn good at what your doing it only takes a few minutes. What is the BS with calling at night dude? My experience is calling in the early morning (knowing the time zone difference) and when your damn good your damn good.

He walked into an office in York, used an internal phone and rang one of the managers, told them he was security, they had a hacker in the system and he needed his usernames and passwords. Then walked out!

Social engineering is useful for many different occasions not just obtaining usernames and passwords. (in fact it's rather crude using it)
why not use it on your boss to get a pay rise or convince a client to give a contract directly to you rather than hire the company as a middle man.
Influence and persuasion are phenomenal tools when abused correctly, especially if you understand a person's psyche and can manipulate them into making a decision they later regret. Then hit them with FUD (fear , uncertainty , doubt) if they start wavering.

Most email servers have the "Forgot my password" option, where upon registration the registrar will have to fill in a "secret question" and password. If you can get to know this person a bit, find out a little bit and get the answer to his question, voila!

I'll weigh in on this topic. Basically I define social entineering (SE) to be -
Any tool or method, that convinces someone to do or say, what they
should not or would not normally do, and using that method to gain
something of value to the engineer, without that person knowing they are
giving you anything.

With that definition, the never ending pron popups are proven to be a SE
technique. They breed frustration in the user who attempts to close them
as fast as they come up. The value provided is that they will, in all
likelihood, inadvertently click on one of your ads. You have gained that
valuable clickthrough fee.

Today I witnessed a great SE tactic with my son. He wanted an MSN
screen name for chatting in Triilian. We walked through the miserable
process of getting your .net passport and signed up for hotmail. It was a
terribly frustrating process where the passport kept getting denied and we
had to try over and over. Eventually we got in and were ready to sign in
to hotmail. Great!!.

Up comes this screen where, by all appearances you must click OK for
some service or the other. I caught my son before he clicked OK and
made him close that window, then login to hotmail again. VoisLais - right
to the hotmail with no bothers.

Evidence the tricks played, too, by Real Networks. You install RealPlayer
and say "no" to everything you can see as far as advertising and
additional "services". If I'm not mistaken there are over 15 visible in the
installation process alone. Several of them are lists with scrollbars. By
default those visible on the list are unchecked. Unless you are patient
enough to go down every single list you miss the other 15 or 20 items to
uncheck.

Then once the program is installed and you think you got one over on the
big bad real networks, you go into Preferences and find another ten or so
items that were not included in the install.

Then you Message Center and find yet another 15 or 20 items to turn off.

No doubt I have not found them all and God forbid I ever do an automatic
update as these things will all be set to "default" again.

So this is SE at it's finest - getting something of value from me without my
knowing it, or against my desires, by trickery, impatience/frustration
and obscurity.

I have a description of social engineering on my site aimed at the average person.

However I would have to say that social engineering is what hacking will be. It's going to get to a point that actualy trying to break the software is just going to take too long, hence you break the user.

I think Kevin Mitnick said it, but humans are the weakest link in the security chain.

I think Kevin Mitnick said it, but humans are the weakest link in the security chain.

No arguments there. No matter how up-to-date my virus defs are and which attachments I block, my users alway find a way to infect their machines.

See Mitnick's The Art of Deception: Controlling the Human Element of Security or for how the big boys do it, John Nolan's elicitation primer Confidential: Uncover your Competitors' Top Business Secrets Legally and Quickly--and Protect Your Own.

To me using Social Engineering to gather sensitive information from a business or even a home user is nothing more than a "con artist" at work hurting businesses or home users. I don't understand why when you discuss Social Engineering why you don't call it a con artist at work to do harm?

To me using Social Engineering to gather sensitive information from a business or even a home user is nothing more than a "con artist" at work hurting businesses or home users. I don't understand why when you discuss Social Engineering why you don't call it a con artist at work to do harm?

Simplifying Social Engineering as just "con artist" is a over simplification of a very deep area of professional studies. It uses any and all tools discovered in psychology, sociology, technology and is ever evolving in each area of study which all lead to tools and techniques.

Actually Social Engineering is the oldest technique in the world. Used on many areas and things.
From Politics to simple conversations between a client and a salesman...

The concept is to manage the other person to drop his/her defenses or dilemas and push it to act for you interest.. no matter if it is about a bunch of passwords , or even signing a treaty for a nation.

Take a glance , at the politics while they are , talking on TV... they tend to "push" someone over the edge in order to manipulate , temper, words, behavior , in their interest.

Social engineering is always based on the human psychology and "warfare"..
Tactical moves , opposition and fake "attacks" are a very big part of the game and their success is always based , on the way the other person will react... If it is possible to predict his/her reaction , or manipulate his behavior , by "pushing buttons" of their personallity , game is won.

Certain Books that would help you a lot , besides the advertised ones,
are::

Remember that although people tend to behave similary in situations , their small differencies on how they are going to do it , are the ones that give the advantage for the person who applies those techniques.

A significant also part is the body languange , although it will take me a whole page to analyse it here...